The legislator is currently reviewing — and has advanced to the next stage — several important draft legal acts in the field of personal data processing, relevant to all sectors of business.

1. Significant Increase in Liability for Personal Data Breaches

On 23 January 2024, the State Duma passed at first reading two bills (Nos. 502104-8¹ and 502113-8²) significantly increasing liability for breaches in personal data processing.

The first bill (No. 502104-8) introduces substantial administrative penalties for personal data “leaks”, including turnover-based fines. In particular, it proposes adding new parts 12–17 to Article 13.11 of the Russian Code of Administrative Offences, under which an operator’s acts (or omissions) leading to the unlawful transfer (provision, dissemination, access) of information containing personal data may result in sizeable fines. The amount would depend on the number of affected data subjects, the volume of compromised identifiers³, or the sensitivity of the leaked data.

For companies, fines may reach:

• Up to RUB 5 million — for a leak affecting 1,000–10,000 individuals and/or 10,000–100,000 identifiers;
• Up to RUB 10 million — for a leak affecting 10,000–100,000 individuals and/or 100,000–1 million identifiers;
• Up to RUB 15 million — for a leak affecting more than 100,000 individuals and/or over 1 million identifiers, or for a leak involving special categories of personal data (e.g., health information).

For repeat offences, the fine will depend on total revenue (up to 3%) for the preceding year (or other statutory period), but will be no less than RUB 15 million (RUB 20 million for leaks of special categories of personal data) and no more than RUB 500 million.

The bill also introduces liability for failing to notify (or untimely notification of) Roskomnadzor about the intention to process personal data or about a data leak — fines of up to RUB 300,000 and RUB 3 million, respectively.

The second bill (No. 502113-8) proposes adding Article 272.1 to the Russian Criminal Code, establishing new criminal offences:

• Unlawful use and/or transfer, collection and/or storage of computer information containing personal data obtained unlawfully — punishable (with aggravating circumstances) by up to 10 years’ imprisonment and a fine of up to RUB 3 million, with possible disqualification from certain positions or activities for up to five years;
• Creation and/or operation of information resources, systems, or software knowingly intended for unlawful storage or transfer of computer information containing personal data — punishable by up to five years’ imprisonment and a fine of up to RUB 700,000, with possible disqualification for up to two years.

Amendments to both bills must be submitted by 6 February 2024.

2. Expanded Powers for Roskomnadzor to Conduct Unscheduled On-Site Inspections

On 22 December 2023, a bill⁴ was submitted to the State Duma granting Roskomnadzor the authority to conduct unscheduled on-site inspections upon receipt of information about personal data leaks.

This will be added as a separate legal basis for inspections, alongside those already provided under Federal Law No. 248-FZ of 31 July 2020 On State Control (Supervision) and Municipal Control in the Russian Federation (e.g., prosecutor’s request, orders from the President or Government). The stated aim is to enable a prompt response to incidents, including identifying their causes and preventing recurrence.

Such inspections will still follow the general procedural rules, including the requirement for prior approval from the prosecutor’s office.

The bill is planned for consideration in the spring session. Comments and proposals may be submitted until 7 February 2024.

3. Regulation of Market Research Organisations

On 16 January 2024, the State Duma passed at first reading bill No. 412669-8⁵, regulating activities in the field of Russian goods market research.

The bill introduces a regulatory framework for “market research organisers” — Russian companies engaged in collecting, processing, and analysing data on the structure of the domestic goods market with annual revenue of at least RUB 30 million. Such data includes information on supply and demand levels, market conditions, aggregated data on consumers, producers, and importers, conditions of sale, pricing principles, and other information necessary for promoting specific goods (or categories of goods) on the market. These datasets may contain personal data.

The bill sets out requirements for market research organisers, including:

• Foreign persons, stateless persons, or dual citizens — and affiliated entities — may not directly or indirectly own, manage, or control more than 20% of the charter capital without approval from the Government Commission;
• Data obtained through research must be stored in databases located in Russia;
• Technical means used for conducting research must be located in Russia;
• Companies must refuse to execute foreign decisions imposing restrictive measures on Russia, its citizens, or its legal entities.

Market research organisers will be included in a special register if they are identified by the antimonopoly authority or if they operate in more than half of Russia’s regions.

Amendments must be submitted by 14 February 2024.

4. Ban on Debt Collection by Organisations with Hostile Foreign Participation

A further measure aimed at limiting foreign access to Russian citizens’ personal data is set out in the draft Presidential Decree On the Specifics of Debt Collection Activities of Certain Categories of Persons⁶, currently undergoing public consultation.

It proposes to prohibit debt collection from Russian individuals by collection agencies, microfinance institutions, and banks if their founders (participants) or management — including sole executive bodies — are foreign persons from “unfriendly” states.

According to the explanatory note, the objective is to prevent such entities from accessing substantial volumes of Russian citizens’ personal data, thereby reducing threats to economic and national security.

Public consultation is open until 31 January 2024.

Recommendations

• Consider submitting comments on the proposed legislative acts.
• Review business processes and documentation to assess necessary adjustments in light of existing regulations and in anticipation of the new measures.

¹ Bill No. 502104-8 “On Amendments to the Code of Administrative Offences of the Russian Federation” (regarding administrative liability for personal data “leaks”): https://sozd.duma.gov.ru/bill/502104-8.
² Bill No. 502113-8 “On Amendments to the Criminal Code of the Russian Federation”: https://sozd.duma.gov.ru/bill/502113-8.
³ Identifiers are unique designations of personal data necessary to identify individuals (e.g., passport series and number, SNILS, TIN).
⁴ https://sozd.duma.gov.ru/bill/518022-8.
⁵ https://sozd.duma.gov.ru/bill/412669-8.
⁶ https://regulation.gov.ru/Regulation/Npa/PublicView?npaID=144879.

More>>

__________

This material has been prepared solely for informational and/or educational purposes and does not constitute legal advice or a legal opinion. EPAM Law, its management, lawyers, and staff cannot guarantee the applicability of such information to your specific circumstances and accept no liability for any decisions you make, or for any direct or indirect losses and/or damages arising from the use of the information contained in these materials, in whole or in part.